The US Department of Health and Human Services’ Office for Civil Rights (OCR) has launched an investigation to determine whether protected health information was compromised in the recent Change Healthcare data breach.
The incident occurred on February 21, when Change Healthcare’s claims and payment infrastructure was disrupted as result of a ransomware attack, impacting the ability of over 7,000 pharmacies and hospitals to process prescriptions.
Last week, Change Healthcare parent company UnitedHealth Group (UHG) announced that pharmacy services have been restored and that electronic payment functionality would be back up and running by the end of this week.
The Alphv/BlackCat ransomware group took responsibility for the attack in late February, claiming to have stolen at least four terabytes of data from the healthcare transactions processing firm.
Change Healthcare reportedly paid a $22 million ransom to the attackers, but the BlackCat operators seemingly pulled an exit scam, refusing to share the proceeds with the affiliate that perpetrated the attack and stole the data.
Prompted by the magnitude of the attack, OCR on Wednesday announced that it is launching an investigation into the incident, with a focus on “whether a breach of protected health information occurred”.
“The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry,” HHS said.
According to OCR, the investigation will not prioritize healthcare providers and business associates tied or impacted by the attack, but will probe Change Healthcare and UHG’s compliance with HIPAA rules.
“We are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs,” OCR notes in a Dear Colleague letter (PDF).
OCR administers and enforces HIPAA privacy, security, and breach notification rules, which set minimum requirements for safeguarding protected health information and reporting data breaches.
Related: Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency
Related: EquiLend Ransomware Attack Leads to Data Breach
Related: Critical Infrastructure Organizations Warned of Phobos Ransomware Attacks
